Log In

Zeus-family trojan spreads via botnet

Spammers flog P2P malware.

A new wave of spam campaigns are dispensing "Gameover,” the only banking trojan in the Zeus family to use peer-to-peer (P2P) communications to hide its activities.

The threat of the malware has become even more pervasive now that criminals are using Cutwail, the world's largest spam botnet, to deliver malicious emails containing Gameover. The spam is made to look like messages from top U.S. banks, researchers at Dell SecureWorks Counter Threat Unit (CTU) found, with the hopes of luring users into clicking attached PDF files.

Brett Stone-Gross, a senior security researcher, told SCMagazine.com Wednesday that the botnet consists of about 200,000 compromised PCs distributing Gameover, which has resulted in more than half a million infections.

The deceptive emails often say that they are “secure” messages from banks, and the PDF attachment even reads “securemessage.pdf.zip.” Once users download the attachment, a downloader called “Pony” is executed, which installs Gameover. The trojan was discovered in October 2011, likely related to the leak of Zeus source code five months earlier.

In addition to the standard malicious capabilities of Zeus trojans, like logging victims' keystrokes to steal banking credentials, Gameover is especially insidious because a complementary capability allows it to launch distributed denial-of-service (DDoS) attacks against financial institutions.

“The interesting thing that we've seen with this group [of attackers] is they've used DDoS attacks against financial institutions to distract them from Zeus attacks,” Stone-Gross said.

The botnet's P2P communications make it particularly hard to shut down, he added.

“What makes this unique and very different from a centralized botnet is there is no central point of communication that can be targeted by law enforcement,” Stone-Gross said. “In a peer-to-peer network, infected systems constantly communicate with each other instead of the [command-and-control] server and exchange binary files, configuration files and send stolen data to [designated] peers.”

In January, the FBI warned users of Gameover attackers who spread the trojan through phishing scams that claimed to be correspondence from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank and the Federal Deposit Insurance Corp. (FDIC).

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.